Isuso Works
Home Knowledge Base Website Management Configuring Website Security Settings
Back to Website Management
Website Management Settings

Configuring Website Security Settings

Essential security measures to protect your website from common threats — covering HTTPS, security headers, login protection, file permissions, and how to conduct regular security audits.

16 min read Updated March 28, 2025 99% found this helpful

1. Website Security Fundamentals

Website security is not a single setting but a layered defence strategy. No single measure is 100% foolproof — the goal is to make your site a harder target than the next. Think in terms of these layers:

  • Transport security — encrypt data in transit (HTTPS/TLS)
  • Application security — sanitise inputs, use security headers, keep software updated
  • Access control — limit who can log in, what they can do, and from where
  • Monitoring — detect and respond to unusual activity quickly

Canadian Context

Under PIPEDA, you are required to implement security safeguards appropriate to the sensitivity of the personal data you hold. A data breach involving personal information must be reported to the Privacy Commissioner of Canada.

2. Enabling HTTPS and SSL/TLS

HTTPS encrypts all traffic between your visitor's browser and your server. Without it, passwords, form data, and session tokens travel in plain text — readable by anyone on the same network.

Steps to enable HTTPS:

  1. Obtain an SSL/TLS certificate — free via Let's Encrypt (auto-renews every 90 days), or from your hosting provider
  2. Install the certificate on your server or enable it through your hosting control panel (cPanel, Plesk, etc.)
  3. Redirect all HTTP traffic to HTTPS with a 301 redirect
  4. Update all internal links and asset URLs from http:// to https://
  5. Enable HSTS (HTTP Strict Transport Security) to prevent downgrade attacks

On Netlify and Similar Platforms

Netlify, Vercel, and Cloudflare Pages provision Let's Encrypt certificates automatically on custom domains. Enable "Force HTTPS" in your domain settings — no manual configuration needed.

3. Security Headers

HTTP security headers instruct browsers on how to behave when rendering your pages. They are one of the most cost-effective security improvements you can make.

Header Purpose Recommended Value
X-Content-Type-OptionsPrevents MIME-sniffingnosniff
X-Frame-OptionsPrevents clickjackingDENY or SAMEORIGIN
Referrer-PolicyControls referrer infostrict-origin-when-cross-origin
Content-Security-PolicyRestricts resource loadingDefine trusted sources per directive
Strict-Transport-SecurityForces HTTPSmax-age=31536000; includeSubDomains

For Netlify, add these headers in a netlify.toml file under the [[headers]] section, or in a _headers file in your publish directory.

4. Login Page Protection

Brute-force attacks systematically try thousands of password combinations against your login page. Defend against them with:

  • Rate limiting — block IPs after repeated failed attempts
  • CAPTCHA — add reCAPTCHA v3 or Cloudflare Turnstile after multiple failures
  • Account lockout — lock after 10 failures, notify the user, require email unlock
  • Two-factor authentication — see the 2FA guide
  • Change the default login URL — on WordPress, change /wp-admin to a custom path

5. File and Directory Permissions

Incorrect file permissions let attackers read sensitive configuration files or execute malicious scripts. Follow the principle of least privilege:

  • Directories: 755 (owner can write; group and others can read and execute)
  • Files: 644 (owner can read/write; others read only)
  • Config files (wp-config.php, .env): 600 or 640
  • Never set files or directories to 777 (world-writable)

Additionally, block access to sensitive files via your web server configuration or .htaccess: deny public access to .env, composer.json, and backup archives.

6. Regular Security Audits

Security is not a one-time task. Schedule regular reviews to catch issues before attackers do:

Frequency Task
WeeklyApply CMS, plugin, and theme updates
MonthlyReview user accounts; remove inactive or unused ones
QuarterlyRun a vulnerability scan (Sucuri SiteCheck, WP Scan); review server logs
AnnuallyFull penetration test; review and update your Privacy Policy and incident response plan

7. Troubleshooting

Mixed content warnings after enabling HTTPS
Some assets (images, scripts) are still loaded over HTTP. Use your browser's developer tools to identify them, then update their URLs to HTTPS. Plugins like "Better Search Replace" can bulk-update URLs in a database.
Content Security Policy (CSP) blocks legitimate resources
Start with a Report-Only header to identify violations without blocking anything. Gradually tighten the policy once you have a complete list of your trusted sources.
SSL certificate expired
Let's Encrypt certificates must be renewed every 90 days. Set up auto-renewal via your hosting panel or a cron job. Most modern platforms (Netlify, Vercel) handle this automatically.
Site flagged as malware by Google
Run a malware scan immediately (Sucuri, MalCare). Remove infected files, change all credentials, and submit a Review Request through Google Search Console once the site is clean.

For further assistance, contact our support team.

Was this article helpful?

Related Articles

Setting Up User Registration and Login

Secure registration forms and authentication flows.

Website Security Best Practices

In-depth security practices for web developers.

Implementing Two-Factor Authentication

Add a second layer of protection to your accounts.

In This Article

Need More Help?

Email Support

info@isusoworks.ca

Phone Support

+1 (613) 699-4088